Review of Microsoft's Patch Tuesday

[Symantec]

Review of Microsoft's Patch Tuesday
<p>Hello, and welcome once again to the monthly Microsoft patch roundup. This month’s release is relatively light, with six bulletins available addressing a total of nine vulnerabilities.</p>

<p><strong>1. Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (KB923810)</strong></p>

<p>CVE-2007-2217, BID 25909<br />
Microsoft Windows Kodak Image Viewer Remote Code Execution Vulnerability<br />
(MS Rating: Critical; Symantec Urgency Rating: 7)</p>

<p>This is a client-side, remote code execution vulnerability in the Kodak Image Viewer when viewing specially crafted image files. An attacker can exploit this issue to execute arbitrary code in the context of the victim running the affected application. A victim would need to view a malicious image to trigger this vulnerability.</p>

<p>Windows XP and Windows 2003 installations are only vulnerable if they were upgraded from Windows 2000.</p>

<p>Affected Products: <br />
Windows 2000 Server SP4; Windows XP SP2; and Windows Server 2003 SP1 & SP2</p>

<p><strong>2. Vulnerability in RPC Could Allow Denial of Service (KB933729)</strong></p>

<p>CVE-2007-2228, BID 25974<br />
Microsoft Windows RPC NTLMSSP Remote Denial Of Service Vulnerability<br />
(MS Rating: Important; Symantec Urgency Rating: 6)</p>

<p>This is a denial-of-service vulnerability affecting RPC (remote procedure call). This issue occurs in NTLM when handling malformed packets using the NTLMSSP authentication type. This is due to a failure in communicating with the NTLM security provider when performing authentication of RPC requests. An attacker could exploit this issue to cause the vulnerable computer to stop responding and restart.</p>

<p>Affected Products:<br />
Windows 2000 SP4; Windows XP SP1, SP2; & x64 Edition; Windows Server 2003, SP1 & x64 Edition; Windows Server 2003 for Itanium-based Systems & SP1; Windows Vista and Windows Vista x64 Edition</p>

<p><strong>3. Cumulative Security Update for Internet Explorer (KB939653)</strong></p>

<p>This update addresses a total of four vulnerabilities, one of which can lead to attacker-supplied code being executed in the context of the user, and three of which involve an attacker being able to spoof the contents of the address bar. </p>

<p>CVE-2007-3893, BID 25916<br />
Microsoft Internet Explorer Script Error Handling Memory Corruption <br />
(MS Rating: Critical; Symantec Urgency Rating: 7)</p>

<p>This is a client-side, remote code execution vulnerability in Internet Explorer. This issue occurs when the application attempts to access memory that has already been freed when handling script errors. An attacker could exploit this issue to execute arbitrary code in the context of the user running Internet Explorer. </p>

<p>Affected Products:<br />
Internet Explorer 5.01, 6 and 7</p>

<p>The following three items all are different ways an attacker could falsify the content displayed in the address bar of the browser – a potentially effective addition to phishing sites. When navigating away from a site, the content displayed will stay the same but the address bar and other attributes will show the intended destination site. In all of these, if the victim user were to interact with the content in the browser window, the address bar would be updated to reflect the actual location of the loaded document. All of these also affect IE 5.01, 6, and 7.</p>

<p>CVE-2007-1091, BID 22680 <br />
Microsoft Internet Explorer OnUnload Javascript Browser Entrapment <br />
Vulnerability<br />
(MS Rating: Moderate; Symantec Urgency Rating: 7)</p>

<p>This is the oldest of the three issues, having been initially reported publicly on Feb 22 of this year. This issue is due to an error in the JavaScript 'onUnload' handler.</p>

<p>CVE-2007-3826 (BID 24911) <br />
Microsoft Internet Explorer OnBeforeUnload Javascript Browser Entrapment Vulnerability <br />
(MS Rating: Moderate; Symantec Urgency Rating: 7) </p>

<p>This method was originally publicly disclosed on July 14 of this year, and is due to an error in the JavaScript 'onBeforeUnload' handler.</p>

<p>CVE-2007-3892 BID 25915<br />
Microsoft Internet Explorer Address Bar Spoofing Vulnerability<br />
(MS Rating: Moderate; Symantec Urgency Rating: 5)</p>

<p>This third method has not been publicly discussed prior to the release of this update. As such, no exploit information is known to exist in the wild.</p>

<p><strong>4. Cumulative Security Update for Outlook Express and Windows (KB941202)</strong></p>

<p>CVE-2007-3897, BID 25908 <br />
Microsoft Outlook Express And Windows Mail NNTP Remote Code Execution <br />
(MS Rating: Critical, Symantec Urgency Rating 7)</p>

<p>This is a client-side remote code execution vulnerability in Outlook Express and Windows Mail. This issue is due to a failure to properly handle malformed NNTP (Network News Transfer Protocol) responses. An attacker who tricks an unsuspecting victim into a viewing a malicious webpage could exploit this issue to execute arbitrary code in the context of the victim.</p>

<p>Affected Products:<br />
Outlook Express 5.5<br />
Outlook Express 6<br />
Windows Mail<br />
Windows XP & SP2<br />
Windows XP Professional x64 Edition & SP2<br />
Windows 2000 Service Pack 4<br />
Windows Server 2003 SP1 & SP2<br />
Windows Server 2003 x64 Edition & SP2<br />
Windows Server 2003 with SP1 for Itanium-based Systems & SP2<br />
Windows Vista<br />
Windows Vista x64 Edition</p>

<p><strong>5. Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege within the SharePoint Site (KB942017)</strong></p>

<p>CVE-2007-2581 (BID 23832) <br />
Microsoft SharePoint Server Cross-Site Scripting Vulnerability <br />
(MS Rating: Important; Symantec Urgency Rating: 7)</p>

<p>This is a cross-site scripting vulnerability in SharePoint Services, initially published on May 4.An attacker could exploit this issue to execute arbitrary script code in the context of the affected SharePoint site.</p>

<p>Affected Products:<br />
Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007</p>

<p><strong>6. Vulnerability in Microsoft Office Could Allow Remote Code Execution (KB942695)</strong></p>

<p>CVE-2007-3899, BID 25906<br />
Microsoft Word Workspace Memory Corruption Remote Code Execution <br />
Vulnerability<br />
(MS Rating: Critical; Symantec Urgency Rating: 7)</p>

<p>This is a remote code execution vulnerability affecting Word. An attacker must entice an unsuspecting victim into opening a malicious Word file with malformed strings, to exploit this issue.</p>

<p>This could also result in a denial-of-service in Microsoft Office 2003. Microsoft does not list this in the affected packages.</p>

<p>Affected Products:<br />
Microsoft Office 2000, Microsoft Office XP, and Microsoft Office 2004 for Mac</p>

<p>As always, more information on each of these specific issues is available at <a href="http://www.securityfocus.com">http://www.securityfocus.com</a> or via the DeepSight services. Cheers, and may all your roll-outs go smoothly.</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/10/review_of_microsofts_patch_tue_1.html
http://www.symantec.com/enterprise/security_response/weblog/2007/10/review_of_microsofts_patch_tue_1.html
Tue, 09 Oct 2007 13:00:00 -0800